Diagnosing Ontario’s Electronic Medical Records Bill: Healthier, but Not Out of the Woods Yet

The Ontario Government’s new electronic health records bill has passed its second reading. The Electronic Personal Health Information Protection Act (Bill 78, EPHIPA or EHR Act), is a responsive and important – yet still wanting – update to Ontario’s 2004 electronic health records legislation.

The main update is the addition of Part V.1, a framework for the administration of an electronic health record (EHA). Hicks Morley and Michael Power have provided strong shorthand summaries of the legislative changes. The Ontario Hospital Association (OHA) has also created a thorough bulletin breaking Part V.1 down into its composite parts and providing descriptions for what the legislation actually means. The update mandates:

  • Privacy and security requirements that “prescribed organizations” managing EHRs must comply with, particularly in regards to collecting and sharing EHR data;
  • The process for consent directives – known in some cases as the “lockbox” request or opt-out, where patients may refuse to share their their personal health information (PHI) – and the limits of consent directives (i.e. where third parties may be at risk of bodily harm);
  • An advisory committee be set up by the Minister of Health to provide EHR recommendations and guidance;
  • A requirement whereby the Minister of Health must take all direction intended for prescribed organizations to the advisory committee and Information and Privacy Commissioner before directing any prescribed organization; and
  • Increased breach of privacy fines of up to $100,000 for a convicted individual and $500,000 for a convicted organization.

Analysis

This is well-intentioned legislation. It is clearly aimed to provide much-needed privacy protections for citizens amidst the inevitable transition toward electronic medical data collection. My technical concerns centre on a few key issues, namely the ambiguity of a “prescribed organization”, the opt-out limitations, the strength of the advisory committee, and the rigour of prescribed organization’s accountability to the public. Not all of these need to be thoroughly addressed within the legislation. Certainly a technocratic bill can become impractical and quickly outdated, but it is my opinion that some of the issues could have been better fleshed out within the bill text.

Ambiguity of Prescribed Organization

Part V.1 is clearly a framework for EHRs, not regulatory guidelines for what bodies will be considered “prescribed organizations.” It’s conceptually difficult to agree on what powers prescribed organizations will (and will not) have without a conceptual understanding of which will fall under this term. eHealth Ontario is one group that will clearly receive “prescribed organization” status, but who else? In my opinion, the clear question that arises is to what extent private companies will be considered “prescribed organizations”.

If there is no intent to allow private companies the designation, then why not draft the legislation more accurately and explicitly? The ambiguity of the term “prescribed organization” makes me uncomfortable.

The Opt-Out Limitations

Refusing patients to opt-out of PHI sharing is tricky. There are huge privacy and civil liberty concerns to allowing a health data collection group the right to override a patient’s request for privacy. But, on the other hand, there are public safety implications that do merit some exceptions to the opt-out. In my opinion, the test for overriding the requested opt-out needs to be exceptionally high; to develop health care industry norms otherwise would be disastrous.

The OHA has also raised a valid point that the current wording of the legislation seems to imply that the opt-outs can only be made to the prescribed organizations (for example, eHealth Ontario). They rightly point out that health information custodians (HICs), such as doctors or long-term care facility staff, should also be allowed to take consent directives for patients wanting to opt out. This certainly seems to make sense from a patient care perspective; there is ease and intuitiveness associated with making your privacy requests directly to your health care practitioner.

Advisory Committee Strength

I believe in parliamentary committees, especially when they have teeth. Serious, legitimate, proactive, and credible committees staffed with a diverse mix of courageous and smart stakeholders are exactly what this province and country needs. Unfortunately, they are often susceptible to “committee-itus”, passive rubber-stamping, or highly intellectual report-making. This advisory committee has a huge role to play in one of the most important public policy issues of the day. This committee needs to be implemented with immense focus and commitment by the Ministry. Also, the Privacy Commissioner should be involved in the committee structure and creation as a far more independent, less politicized body than the Government’s health ministry.

Prescribed Organizations’ Public Accountability

This legislation has a number of good public reporting requirements. It dictates that prescribed organizations must publicly account for their EHR safety and security measures, as well as other processes. One thing I noticed was missing – as did the OHA in their bulletin – was the risk management protocols for privacy breach disclosure process. What if a system is violated and information is shared? What onus is there on the prescribed organization to report the violation to the public? To the individuals whose information was breached? To the Ministry of Health? To the police? If they do need to report the breach, in how timely a manner does it need to be reported? Suffice it to say, there are a number of outstanding questions to be answered.

Increased fines are a strong incentive to prevent EHR privacy breaches but they are also a disincentive to report EHR privacy breaches. Realistically, there is a risk associated with electronic data. But the gains to efficiency and accuracy are so great, it seems as if we, as a society, are collectively agreeing to take on the increased risk. It’s a logical, rational choice but we need to plan and manage that risk. In this legislation, the Government seems to say, “never allow privacy breaches.” This is impractical. In my opinion, the Government instead needs to say, “do everything you can to prevent privacy breaches. If they happen, you must do the following…” Risk and crisis management protocols that make strong commitments to the public interest are a necessity.

The Bigger Picture

The more the world digitizes, the more important privacy becomes. With every piece of legislation of this nature, the Privacy Commissioner’s office needs an adequate boost in funding and standing. The Ontario Privacy Commission is one of the best in the country, but it can only be so with apt resources.

We may need to think bigger. The public interest needs more than just a privacy watchdog, it needs government leadership on privacy. In the digital age, threats to our privacy civil liberties are coming from many more sides than ever before. On a daily basis, private corporations and the data they collect of us through information technology are one of the most important concerns for our privacy. They can collect and database our information about us when we write it in emails and even when we play video games. If we’re going to get serious about protecting our digital health information, I think we should get serious about protection.

Bill 78 is an attempt by the government to be proactive about digital privacy, but, in my opinion, it’s only a drop in the bucket in the context of what we might need in the future. Is it time for ministries of public health to get more involved on privacy? Is it time to establish ministries of privacy? It’s something to consider.

The concepts of ministries of privacy is a counterintuitive and controversial one, but I think something drastic needs to happen. Perhaps this is the way. The systems in place to protect citizen privacy need work. The current leadership in civil liberties and privacy offices are taking steps, but they are not keeping pace with developments in information technology. In the end, the solution is more information technology privacy legislation and only our governments can enact it.

Governments are now in an important and unique position to protect our privacy. We need a privacy commissioner to protect our privacy from intruding government action and we need a government to protect our private information – health-related and otherwise – from corporations that look to misuse it. Will they step up to the challenge?

Denise is an IPilogue Editor, a Western University JD/MBA Candidate, and researcher for GRAND (Graphics, Research and New Media) Centre and Commercialization Engine.